TLS Server Name Indication/TLS v1.2

[Xorlev]

I was wondering the TLS SNI Extension could be added to LSWS for support of SSL name-based virtual hosts. It's a pretty recent thing, but for my sites I end up using a certificate with a subjectAltName. I currently self-sign instead of paying for this as my subjectAltName's change so I end up reissuing every few months. Supporting TLS SNI would help workaround this, most major browsers support TLS SNI.

This would require supporting TLS v1.2 I believe. That wouldn't be a bad thing, TLS v1.0 was barely an upgrade to SSLv3 and TLSv1.1 has been out since 2006, 1.2 out since 2008.

Nothing high priority, but SSL name-based virtual hosting would certainly be a leg up for LSWS.

 

[mistwang]

Any web server support it?
We use openssl library, so support of TLS 1.2 in openssl first.

 

[Xorlev]

Apache supports it via mod_gnutls by means of the GnuTLS library. Yassl library supports it too.

IIS7.5 supports it natively.

The issue with waiting on OpenSSL is they're working on projects they're paid to do so, I don't think TLS 1.2 ranks too far up there. 0.9.9 was supposed to have it.

 

[dpward]

Apache+OpenSSL currently supports SNI

OpenSSL added support for SNI in version 0.9.8f (at first an optional feature, then it was enabled by default in 0.9.8k). Apache added support for SNI in 2.2.12: wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
(I would make this a hyperlink, but the board won't let me because my post count is low? )

SNI (RFC 4366) can be used as an extension to TLS 1.0 and TLS 1.1; the software just has to support the extension (as you said, all modern browsers do, as well as Apache/OpenSSL). SNI is also rolled into TLS 1.2 (RFC 5246) as you mentioned.

My web host uses LiteSpeed, and I would tremendously benefit from having SNI support. Please consider adding it!

 

[andreas]

Any news on this feature?

 

[mistwang]

It is in 4.1RC3 build already.

 

[andreas]

Cool, thanks!

 

[andreas]

I am using lsws 2.1rc5. How do I configure SNI? I didn't find anything.

 

[mistwang]

in native configuration or through Apache httpd.conf?
For native configuration, configure a SSL listener with a default certificate, then add certificate for each vhost binds to that SSL listener. there should be SSL tab for vhost configuration.
For Apache vhost, just let multiple secure sites share one IP.

 

[andreas]

Native config. When I go to the VHost mappings and click "edit", there is an SSL tab, but it just points to the SSL settings of the listener.

 

[apache]

I'd configured 4 SSL certs for 4 vhost, a default cert in SSL listener. It works great in Windows 7 IE8 and as well as Firefox 2 but some users experience certificate error (cert is referring to default cert) because they are using IE 8 Windows XP which does not support SNI!!

Is there anything we can do for those users?

 

[andreas]

You could get a multi-domain certificate ($59 at StartSSL for unlimited number of domains). I just recently learned that this exists, and at least for me it basically eliminates the need for SNI.

 

[apache]

You could get a multi-domain certificate ($59 at StartSSL for unlimited number of domains). I just recently learned that this exists, and at least for me it basically eliminates the need for SNI.

Noted with thanks